Signing on to portal.azure.com requests codes from my new and then my old iPhone authentication app

Question

Hi all,

 

I have recently moved to a new phone and copied all accounts to the new MS authentication app with . After I verified everything was working, I deleted the old iPhone authentication app from Security info for my account (Microsoft Entra). When I sign on to portal.office.com, I get prompted to enter a code on the new iPhone authentication app, which is accepted, and the portal displays as expected.

 

When I sign on to portal.azure.com, I get prompted to enter a code on the new iPhone authentication app, which is accepted, but then I get prompted to enter a code again. This has to be done on the old iPhone authentication app, after which the portal is displayed.

 

If I have signed on to portal.office.com, and then browse to portal.azure.com in the same tab window, I have to enter a code on the old iPhone authentication app.

 

I have nothing running in Azure that would be using my credentials, as far as I am aware.

 

How do I get this resolved?

 

TIA

 

Jon

Answer 1

The issue you're experiencing with Microsoft authentication apps on your old and new iPhones seems to be related to how your accounts are set up for multi-factor authentication (MFA). It's possible that there are some cached credentials or settings causing this behavior. Here are steps you can take to try to resolve this issue:

Clear Cached Data:

• On your new iPhone, try clearing the cache and data for the Microsoft Authenticator app.
• On an iPhone, you can do this by going to "Settings" > "Apps" > "Microsoft Authenticator" > "Storage" > "Clear Cache" and "Clear Data." This may help ensure that the app is using the most up-to-date information.

Re-Enroll for MFA:

• Remove your account from the Microsoft Authenticator app on both old and new iPhones.
• Re-enroll for multi-factor authentication on your Microsoft account.
• Follow the setup process, ensuring that you only have one instance of your account on the new iPhone.

Check Account Security Settings:

• Log in to your Microsoft account on a web browser.
• Go to your account settings and check the security settings for multi-factor authentication.
• Make sure you have only one device (your new iPhone) registered for MFA.

Azure Portal Settings:

• Log in to the Azure portal (portal.azure.com).
• Navigate to "Azure Active Directory."
• Check for any conditional access policies or settings that might be affecting your account.
• Review the "Security Defaults" or "Conditional Access" policies to ensure they are correctly configured.

Contact Microsoft Support:

• If the issue persists, and you've tried the above steps, consider contacting Microsoft support for assistance. They can help investigate and resolve any account-specific issues.

Reset Azure Portal Cache:

• If the problem only occurs in the Azure portal, try clearing your browser cache and cookies. Sometimes, cached data in the browser can cause unexpected behavior.

Device Registration in Azure:

• In the Azure portal, check for any device registrations under "Azure Active Directory" > "Devices." Make sure there are no unexpected devices registered.

Please proceed with caution when making changes to your authentication settings, and if you're unsure about any steps, it's advisable to seek assistance from Microsoft support or your organization's IT department, especially when dealing with security-related issues.

Answer 2

So the second authentication prompt proved to be from another tenancy directory I had linked to my sign on. Turning off the default security setting proved this directory was the cause. To fix it I had to logon to that tenancy using a different account, and then I could select the Revoke multifactor authentication sessions and Require re-register multifactor authentication for the sign on in question.

I am waiting on a feedback request for the Azure support case as I believe there are some issues to be looked at.

• why was the second directory requesting this authentication for a guest account from another directory where authentication had been performed?
• the use of the old iPhone authentication app was not visible anywhere in the linked directory when signed on with the affected account.
• the error message when attempting Revoke multifactor authentication sessions and Require re-register multifactor authentication on the signed on account was useless. It was not until I tried the password reset and got a sensible error message that I could not do that to the same account I was signed on with, that the penny dropped!

Jon